Stopping WikiSpam

I have a relatively dormant wiki I set up to keep track of classmates from school (see JoeysWiki). Although the wiki isn’t really active, I didn’t really want to take it down (at least, not yet) because it still has some quite relevant information. However, in the last few months the wiki has come under attack from a botnet trying to insert WikiSpam. I quickly protected the targeted pages, but this hasn’t stopped the botnet from attempting to deface the wiki. There must be several hundred computers trying to add content, which is a non-trivial drain on my fairly limited bandwidth.

I wanted to set up a relatively simple (yet automated) way to block the source addresses before they could do anything nasty. My solution involves periodically grepping the apache log files, and updating the firewall rules.

There are a number of components to a script to dynamically configure iptables.

/etc/sysconfig/iptables.default

iptables.defaultThis file contains the default rules for the firewall. Of particular interest, though, is the rule which passes all new connection attempts on port 80 to the HTTP-SPAMCHECK chain:

I can detect an attack attempt from a bug in the spambot – it tries to modify favicon.ico on a protected page. This solution is still a bit more complex than I like, but at least it’s stopped the problem (for the moment, at least).